CVE-2026-33453: Apache camel-coap allows header injection that can lead to remote code execution
(updated )
Apache Camel’s camel-coap component is vulnerable to header injection because it maps CoAP request URI query parameters directly into Camel message headers without applying a HeaderFilterStrategy. An unauthenticated attacker can send a crafted CoAP request to inject arbitrary Camel internal headers into the exchange.
When a vulnerable route forwards that exchange to a header-sensitive downstream producer, the attacker may be able to control producer behavior. For example, in routes using camel-exec, injected headers can override the configured executable and arguments, which can result in arbitrary command execution with the privileges of the Camel process. Command output may be returned to the attacker in the CoAP response.
This issue affects org.apache.camel:camel-coap from 4.14.0 through 4.14.5 and from 4.18.0 before 4.18.1. It is fixed in 4.14.6, 4.18.1, and 4.19.0.
References
- camel.apache.org/security/CVE-2026-33453.html
- github.com/advisories/GHSA-695c-x5gc-94gj
- github.com/apache/camel/blob/main/components/camel-coap
- github.com/apache/camel/commit/05cffa5ec05ff2ec3c50a77825625da6e426e7a8
- github.com/apache/camel/commit/3926ab2b7745e36da2cd8e0dc019018bc415aff9
- github.com/apache/camel/commit/e074c01a719cccf3b1c2efbd2ff31e60fd6220ce
- github.com/apache/camel/pull/22146
- github.com/apache/camel/pull/22147
- github.com/apache/camel/pull/22148
- issues.apache.org/jira/browse/CAMEL-23222
- nvd.nist.gov/vuln/detail/CVE-2026-33453
Code Behaviors & Features
Detect and mitigate CVE-2026-33453 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →